[Oisf-users] Question regarding a missed signature from AF-Packet
Jeremy A. Grove
jgrove at quadrantsec.com
Thu Sep 6 19:23:16 UTC 2018
I am using Suricata 4.1 on Debian with AF-Packet. I have recently tested the configuration by specifically looking for Suricata to alert on content in the body of the HTTP POST. Suricata did not trigger and it led me to repeat the process while recording a PCAP. When I run the PCAP through Suricata then Suricata alerts accurately and as expected.
My question is centered on where I should be looking for the difference in the configuration that would lead to no alert via AF-PACKET and then an alert generated with same traffic through PCAP.
Any direction will be helpful. I have given some of the configuration dump below.
af-packet = (null)
af-packet.0 = interface
af-packet.0.interface = e1
af-packet.0.cluster-id = 99
af-packet.0.cluster-type = cluster_flow
af-packet.0.defrag = yes
af-packet.1 = interface
af-packet.1.interface = e3
af-packet.1.cluster-id = 98
af-packet.1.cluster-type = cluster_flow
af-packet.1.defrag = yes
af-packet.2 = interface
af-packet.2.interface = e4
af-packet.2.cluster-id = 97
af-packet.2.cluster-type = cluster_flow
af-packet.2.defrag = yes
af-packet.3 = interface
af-packet.3.interface = default
pcap-file = (null)
pcap-file.checksum-checks = auto
Jeremy Grove, SSCP
Security Engineer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180906/3c2463f0/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2223 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180906/3c2463f0/attachment.bin>
More information about the Oisf-users
mailing list